Beck v. McDonald, No. 15-1395 (4th Cir. 2017)

In these consolidated appeals, veterans who received medical treatment and health care at the Dorn VAMC, filed separate actions against the Secretary of Veterans Affairs and Dorn VAMC officials, alleging violations of the Privacy Act of 1974, 5 U.S.C. 552(a) et seq., and the Administrative Procedure Act (APA), 5 U.S.C. 701 et seq. Plaintiffs sought to establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against it. The district court dismissed based on lack of subject-matter jurisdiction. The court affirmed the district court's dismissal, concluding that plaintiffs failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing.

PUBLISHED UNITED STATES COURT OF APPEALS FOR THE FOURTH CIRCUIT No. 15-1395 RICHARD G. BECK; LAKRESHIA R. JEFFERY; BEVERLY WATSON; CHERYL GAJADHAR; JEFFERY WILLHITE, on behalf of themselves and all others similarly situated, Plaintiffs - Appellants, v. ROBERT A. MCDONALD, in his official capacity as Secretary of Veterans Affairs; TIMOTHY B. MCMURRY, in his official capacity as the former Medical Director of William Jennings Bryan Dorn VA Medical Center; BERNARD L. DEKONING, in his official capacity as the Chief of Staff of William Jennings Bryan Dorn VA Medical Center; RUTH MUSTARD, RN, Director for Patient Care-Nursing Services of William Jennings Bryan Dorn VA Medical Center; JON ZIVONY, Assistant Director of William Jennings Bryan Dorn VA Medical Center; DAVID L. OMURA, in his official capacity as the Associate Director of William Jennings Bryan Dorn VA Medical Center, Defendants – Appellees. No. 15-1715 BEVERLY WATSON, on behalf of herself and all others similarly situated, Plaintiff - Appellant, v. ROBERT A. MCDONALD, in his official capacity as Secretary of Veterans Affairs; TIMOTHY MCMURRY, in his official capacity as the Medical Director of William Jennings Bryan Dorn VA Medical Center; RUTH MUSTARD, RN, in her official capacity as the Associate Director for Patient Care/Nursing Services of William Jennings Bryan Dorn VA Medical Center; DAVID L. OMURA, in his official capacity as the Associate Director of William Jennings Bryan Dorn VA Medical Center; JON ZIVONY, in his official capacity as the Assistant Director of William Jennings Bryan Dorn VA Medical Center; SUE PANFIL, in her official capacity as the Privacy Officer of William Jennings Bryan Dorn VA Medical Center, Defendants – Appellees. Appeals from the United States District Court for the District of South Carolina, at Columbia. Terry L. Wooten, Chief District Judge. (3:13−cv−00999−TLW; 3:14-cv03594-TLW) Argued: September 20, 2016 Decided: February 6, 2017 Before NIEMEYER and DIAZ, Circuit Judges, and Irene M. KEELEY, United States District Judge for the Northern District of West Virginia, sitting by designation. Affirmed by published opinion. Judge Diaz wrote the opinion, in which Judge Niemeyer and Judge Keeley joined. ARGUED: Douglas J. Rosinski, Columbia, South Carolina, for Appellants. Sonia Katherine McNeil, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C., for Appellees. ON BRIEF: D. Michael Kelly, Bradley D. Hewett, MIKE KELLY LAW GROUP, LLC, Columbia, South Carolina, for Appellants. Benjamin C. Mizer, Principal Deputy Assistant Attorney General, Mark B. Stern, Civil Division, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C.; William N. Nettles, United States Attorney, OFFICE OF THE UNITED STATES ATTORNEY, Columbia, South Carolina, for Appellees. 2 DIAZ, Circuit Judge: The Plaintiffs in these consolidated appeals are veterans who received medical treatment and health care at the William Jennings Bryan Dorn Veterans Affairs Medical Center (“Dorn VAMC”) in Columbia, South Carolina. After two data breaches at the Center compromised their personal information, the Plaintiffs brought separate actions against the Secretary of Veterans Affairs and Dorn VAMC officials (“Defendants”), alleging violations of the Privacy Act of 1974, 5 U.S.C. § 552a et seq. and the Administrative Procedure Act (“APA”), 5 U.S.C. § 701 et seq. In both cases, the Plaintiffs sought to establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against it. The district court dismissed the actions for lack of subject-matter jurisdiction, holding that the Plaintiffs failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing. We agree with the district court and therefore affirm. I. A. The Beck case arises from a report that on February 11, 2013, a laptop connected to a pulmonary function testing device with a Velcro strip was misplaced or stolen from Dorn VAMC’s Respiratory Therapy department. The laptop contains unencrypted personal information of approximately 7,400 patients, including names, birth dates, the last four digits of social security numbers, and physical descriptors (age, race, gender, height, and weight). 3 An internal investigation determined that the laptop was likely stolen and that Dorn VAMC failed to follow the policies and procedures for utilizing a non-encrypted laptop to store patient information. Dorn VAMC officials used medical appointment records to notify every patient tested using the missing laptop and offered one year of free credit monitoring. To date, the laptop has not been recovered. Richard Beck and Lakreshia Jeffery (the “Beck plaintiffs”) 1 filed suit on behalf of a putative class of the approximately 7,400 patients whose information was stored on the missing laptop. Relevant to this appeal, the Beck plaintiffs sought declaratory relief and monetary damages under the Privacy Act, alleging that the “Defendants’ failures” and “violations” of the Privacy Act “caused Plaintiffs . . . embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.” J.A. 12. They further allege that the “threat of identity theft” required them to frequently monitor their “credit reports, bank statements, health insurance reports, and other similar information, purchas[e] credit watch services, and [shift] financial accounts.” J.A. 12. In addition to their Privacy Act claims, the Beck plaintiffs sought broad injunctive relief under the APA, requiring the VA to account for all Privacy Act records in the possession of Dorn VAMC and to recover and permanently destroy any improperly maintained records. The Beck plaintiffs also sought to enjoin the Defendants from transferring patient information from computer systems to any portable device “until and 1 The Beck plaintiffs later amended their complaint to add as named plaintiffs Beverly Watson, Cheryl Gajadhar, and Jeffery Willhite. 4 unless Defendants demonstrate to the Court that adequate information security has been established.” J.A. 23. Finally, the Beck plaintiffs alleged separate common-law negligence claims. The Defendants moved to dismiss for lack of subject-matter jurisdiction or, in the alternative, for failure to state a claim. The district court granted the motion as to the common-law negligence claims, but declined to dismiss the Privacy Act and APA claims. Following extensive discovery, the Plaintiffs moved for partial summary judgment and for class certification. The Defendants renewed their motion to dismiss the Plaintiffs’ claims for lack of subject-matter jurisdiction and, in the alternative, moved for summary judgment. The district court granted the Defendants’ motion to dismiss, holding, pursuant to Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1155 (2013), that the Beck plaintiffs lacked standing under the Privacy Act because they had “not submitted evidence sufficient to create a genuine issue of material fact as to whether they face a ‘certainly impending’ risk of identity theft.” J.A. 1059. The Beck plaintiffs’ fear of harm from future identity theft, said the district court, was too speculative to confer standing because it was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.” J.A. 1059 (citing Clapper, 113 S. Ct. at 1148). The Beck plaintiffs also failed to satisfy the “lesser standard” of “substantial risk” of future harm referenced in Clapper: The plaintiffs’ calculations that 33% of those affected by the laptop theft would have their identities stolen and that all affected would be 9.5 times more likely to 5 experience identity theft “d[id] not suffice to show a substantial risk of identity theft.” J.A. 1060. The district court also rejected the Beck plaintiffs’ attempt to “create standing by choosing to purchase credit monitoring services or taking any other steps designed to mitigate the speculative harm of future identity theft.” J.A. 1061. These measures, according to the court, did not amount to an injury-in-fact because they were taken solely “to mitigate a speculative future harm.” J.A. 1061. Turning to the Beck plaintiffs’ request for injunctive relief under the APA, the district court acknowledged that the claim that “there have been at least seventeen data breaches at Dorn [VAMC] during the course of th[e] [Beck] litigation” was “undoubtedly concerning.” J.A. 1064. Nonetheless, the court concluded that Dorn VAMC’s “past Privacy Act violations are insufficient to establish Plaintiffs’ standing to seek injunctive relief” where it was “no more than speculation for Plaintiffs to assert that their personal information will again be compromised by a future Privacy Act violation and that they will be injured as a result.” J.A. 1064. The district court ruled in the alternative that the Defendants were entitled to summary judgment on the merits, because: (1) the Beck plaintiffs had not suffered “actual damages” as required to recover damages under the Privacy Act, and (2) the APA could not be read to “provide for the broad judicial oversight” of the VA’s entire privacy program sought by the Plaintiffs. J.A. 1067–68. 6 B. The Watson case arises from Dorn VAMC’s July 2014 discovery that four boxes of pathology reports headed for long-term storage had been misplaced or stolen. The reports contain identifying information of over 2,000 patients, including names, social security numbers, and medical diagnoses. Dorn VAMC officials alerted those affected and, as they did following the laptop’s disappearance, offered each of them one year of free credit monitoring. The boxes have not been recovered. While the Beck litigation was pending, Beverly Watson 2 brought a putative classaction lawsuit on behalf of the over 2,000 individuals whose pathology reports had gone missing. Watson sought money damages and declaratory and injunctive relief, alleging the same harm as did the Beck plaintiffs. The Defendants moved to dismiss the complaint for lack of subject-matter jurisdiction and for failure to state a claim. The district court granted the Defendants’ motion to dismiss for lack of subjectmatter jurisdiction, relying on Clapper to hold that Watson lacked Article III standing under the Privacy Act because she “ha[d] not alleged that there ha[d] been any actual or attempted misuse of her personal information,” thus rendering her allegation that her information “will eventually be misused as a result of the disappearance of the boxes . . . speculative.” J.A. 1091. According to the district court, for Watson to suffer the injury she feared, the court would have to assume that: (1) the boxes were stolen by someone bent on misusing the 2 Ms. Watson is also a named plaintiff in Beck. 7 personal information in the pathology reports; (2) the thief would select Watson’s report from the over 3,600 reports in the missing boxes; (3) the thief would then attempt to use or sell to others Watson’s personal information; and (4) the thief or purchaser of Watson’s information would successfully use the information in the report to steal Watson’s identity. This “attenuated chain of possibilities” did not satisfy Watson’s burden to show that her threatened injury was “certainly impending.” J.A. 1092. As it did in Beck, the district court rejected Watson’s allegations that any costs incurred to fend off future identity theft constituted an injury-in-fact. Turning to Watson’s claim for injunctive relief under the APA, the district court concluded that her allegations, based on Dorn VAMC’s “historic inability or unwillingness to protect Plaintiff’s personal information” were insufficient to show that, absent injunctive relief, she would be “in real and immediate danger of sustaining a direct injury as a result of some official conduct.” J.A. 1096. All Plaintiffs appeal the district court’s ruling as to Article III standing. 3 The Beck plaintiffs also appeal the district court’s alternative ruling that the Defendants are entitled to summary judgment on the Privacy Act and APA claims. Because we find that the Plaintiffs do not have Article III standing, we do not address the merits. 3 We granted an unopposed motion to consolidate the cases. 8 II. We review de novo the district court’s decision to dismiss for lack of standing. 24th Senatorial Dist. Republican Comm. v. Alcorn, 820 F.3d 624, 628 (4th Cir. 2016). Article III of the U.S. Constitution limits the jurisdiction of federal courts to “Cases” and “Controversies.” U.S. Const. art. III, § 2. “One element of the case-orcontroversy requirement is that plaintiffs must establish that they have standing to sue.” Clapper, 133 S. Ct. at 1146 (internal citations and quotation marks omitted). To invoke federal jurisdiction, a plaintiff bears the burden of establishing the three “irreducible minimum requirements” of Article III standing: (1) an injury-in-fact (i.e., a concrete and particularized invasion of a legally protected interest); (2) causation (i.e., a fairly traceable connection between the alleged injury in fact and the alleged conduct of the defendant); and (3) redressability (i.e., it is likely and not merely speculative that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit). David v. Alphin, 704 F.3d 327, 333 (4th Cir. 2013) (internal alterations and quotation marks omitted). In a class action, we analyze standing based on the allegations of personal injury made by the named plaintiffs. See Doe v. Obama, 631 F.3d 157, 160 (4th Cir. 2011) (citing Warth v. Seldin, 422 U.S. 490, 501 (1975)). “Without a sufficient allegation of harm to the named plaintiff in particular, plaintiffs cannot meet their burden of establishing standing.” Id. A defendant may challenge subject-matter jurisdiction in one of two ways: facially or factually. See Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009). In a facial 9 challenge, the defendant contends “that a complaint simply fails to allege facts upon which subject matter jurisdiction can be based.” Id. (quoting Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982)). Accordingly, the plaintiff is “afforded the same procedural protection as she would receive under a Rule 12(b)(6) consideration,” wherein “the facts alleged in the complaint are taken as true,” and the defendant’s challenge “must be denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction.” Id. In a factual challenge, the defendant argues “that the jurisdictional allegations of the complaint [are] not true,” providing the trial court the discretion to “go beyond the allegations of the complaint and in an evidentiary hearing determine if there are facts to support the jurisdictional allegations.” Id. (first alteration in original) (quoting Adams, 697 F.2d at 1219). In this posture, “the presumption of truthfulness normally accorded a complaint’s allegations does not apply.” Id. Critically, the procedural posture of the case dictates the plaintiff’s burden as to standing. Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992) (“[E]ach element [of standing] must be supported in the same way as any other matter on which the plaintiff bears the burden of proof, i.e., with the manner and degree of evidence required at the successive stages of the litigation.”). Here, the district court dismissed Watson on the pleadings and Beck at summary judgment. “At the pleading stage, general factual allegations of injury resulting from the defendant’s conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim.” Id. (internal citations omitted). As such, we accept as true Watson’s allegations for which 10 there is sufficient “factual matter” to render them “plausible on [their] face.” See Ashcroft v. Iqbal, 566 U.S. 662, 678 (2009) (internal citations omitted). We do not, however, apply the same presumption of truth to “conclusory statements” and “legal conclusions” contained in Watson’s complaint. See id.; Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555–56 (2007). By contrast, having developed through discovery a summary judgment record, the Beck plaintiffs are not entitled to “rest on such mere allegations, but must set forth by affidavit or other evidence specific facts, which for purposes of the summary judgment motion will be taken to be true.” Lujan, 504 U.S. at 561 (citing Fed. R. Civ. P. 56) (internal quotations omitted). III. A. We focus our inquiry on the first element of Article III standing: injury-in-fact. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (quoting Lujan, 504 U.S. at 560). 4 And while it is true “that threatened rather than actual 4 In Spokeo, the Supreme Court suggested that some violations of the Fair Credit Reporting Act (“FCRA”), though “intangible” harms, may still be sufficiently “concrete” to establish an Article III injury-in-fact. 136 S. Ct. at 1549–50. In Spokeo’s aftermath, some plaintiffs have attempted to establish Article III standing by alleging that the violation of a privacy statute, in and of itself, is sufficiently “concrete” to establish an (Continued) 11 injury can satisfy Article III standing requirements,” Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000) (en banc), not all threatened injuries constitute an injury-in-fact. Rather, as the Supreme Court has “emphasized repeatedly,” an injury-in-fact “must be concrete in both a qualitative and temporal sense.” Whitmore v. Arkansas, 495 U.S. 149, 155 (1990). “The complainant must allege an injury to himself that is distinct and palpable, as opposed to merely abstract.” (internal citations and quotations omitted). Id. “Although ‘imminence’ is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes.” Lujan, 504 U.S. at 564–65, n. 2. The Court recently explored the “threatened injury” theory of Article III standing in Clapper v. Amnesty International USA. That case involved a constitutional challenge to section 1881a of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), which, “upon the issuance of an order from the Foreign Intelligence Surveillance Court,” authorizes “for a period of up to 1 year” the Attorney General and the Director of “injury-in-fact,” to varying result. Compare In re Horizon Healthcare Servs. Inc. Data Breach Litig., No. 15-2309, 2017 WL 242554, at *11 (3d Cir. Jan. 20, 2017) (“[T]he unauthorized dissemination of . . . private information—the very injury that FCRA is intended to prevent . . . [is] a de facto injury that satisfies the concreteness requirement for Article III standing.”) with Gubala v. Time Warner Cable, Inc., No. 16-2613, 2017 WL 243343, at *4 (7th Cir. Jan. 20, 2017) (plaintiff’s failure to allege or provide evidence of any concrete injury inflicted or likely to be inflicted on the plaintiff as a consequence of Time Warner's continued retention of his personal information in violation of the Cable Communications Policy Act insufficient to confer Article III standing). Spokeo is not controlling here, as the Plaintiffs do not allege that Dorn VAMC’s violations of the Privacy Act alone constitute an Article III injury-in-fact. 12 National Intelligence to target for surveillance “persons reasonably believed to be located outside the United States to acquire foreign intelligence information.” 133 S. Ct. at 1144 (quoting 50 U.S.C. § 1881a). The respondents—attorneys and human-rights, labor, legal, and media organizations whose work required them to communicate via telephone and e-mail with individuals located abroad-—sought a declaration that the provision was facially unconstitutional and a permanent injunction against its use. Id. at 1146. The respondents alleged two injuries: (1) that § 1881a curtailed their ability to “locate witnesses, cultivate sources, obtain information, and communicate confidential information,” and (2) that they had implemented “costly and burdensome measures,” including traveling abroad to have in-person conversations, to protect the confidentiality of their sensitive communications from FISA surveillance. Id. at 1145–46. The district court ruled that the respondents lacked standing. Id. at 1146. On appeal, the Second Circuit reversed, holding that the “objectively reasonable likelihood” that the respondents’ communications would be intercepted at some future time and their allegation that they suffered economic and professional harm as a result were sufficient to confer standing. Id. The Supreme Court rejected the Second Circuit’s use of an “objectively reasonable likelihood” standard for Article III standing as inconsistent with the Court’s long-established requirement that “threatened injury must be certainly impending to constitute injury in fact.” Id. at 1147–48 (listing cases). Addressing first the respondents’ allegation that the Government would target their private communications, 13 the Court catalogued the series of hypothetical events that would have to occur to establish an “imminent” injury-in-fact: namely, the speculative possibility that the Government, pursuant to § 1881a’s “many safeguards,” would successfully target and intercept the communications of those foreigners with whom the respondents worked. Id. at 1148–50. The respondents’ theory of standing, premised on this “highly attenuated chain of possibilities” could not “satisfy the requirement that threatened injury must be certainly impending.” Id. at 1148. The respondents’ second theory of injury, premised on the “costly and burdensome” measures they had undertaken to protect the confidentiality of their communications, also failed to confer standing. Id. at 1150–51. The Court reasoned that the respondents’ attempts to minimize e-mail and phone conversations, to speak “in generalities rather than specifics,” and to travel abroad to have in-person conversations, were all costs “incurred in response to a speculative threat.” Id. at 1151. The Court declined to “water[] down the fundamental requirements of Article III” by allowing respondents to “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” Id. Clapper’s discussion of when a threatened injury constitutes an Article III injuryin-fact is controlling here. Before explaining why, we address the Plaintiffs’ contention that the district court misread Clapper to require a new, heightened burden for proving an Article III injury-in-fact. To the contrary, Clapper’s iteration of the well-established tenet that a threatened injury must be “certainly impending” to constitute an injury-in-fact is hardly novel. E.g., DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 345 (2006) (an 14 asserted injury is “imminent” when it is “certainly impending”); Lujan, 504 U.S. at 564– 65, n.2 (same); Whitmore, 495 U.S. at 158 (“A threatened injury must be ‘certainly impending’ to constitute injury in fact.”). We also reject the Plaintiffs’ claim that “emotional upset” and “fear [of] identity theft and financial fraud” resulting from the data breaches are “adverse effects” sufficient to confer Article III standing. Appellants’ Br. at 22 (citing 5 U.S.C. § 552a(e)(10)). That assertion reflects a misunderstanding of the Privacy Act and is an overextension of Doe v. Chao, 540 U.S. 614 (2004). The sole issue in Chao was whether a Privacy Act plaintiff must prove actual damages to qualify for the minimum statutory award of $1,000. 540 U.S. at 616. There, a black-lung claimant brought suit under the Privacy Act against the Department of Labor for improperly disclosing his social security number. Id. at 617. This court held that the Department was entitled to summary judgment, concluding that the claimant had failed to raise a triable issue of fact about actual damages because he had submitted no corroboration for his claim of emotional distress. Id. The Supreme Court affirmed, reasoning that “a straightforward textual analysis” of the Privacy Act required a plaintiff to prove actual damages from an intentional or willful violation of the Act to qualify for the award. Id. at 620. As the Court explained in Chao, “the reference in [the Privacy Act] to ‘adverse effect’ [is] a term of art identifying a potential plaintiff who satisfies the injury-in-fact and causation requirements of Article III standing.” 540 U.S. at 624 (emphasis added). We decline to interpret dicta in Chao discussing the plaintiff’s “conclusory allegations” 15 that he was “torn . . . all to pieces” by the unauthorized disclosure of his social security number as support for the proposition that bare assertions of emotional injury are sufficient to confer Article III standing. Id. at 617, 624–25. This court is “bound by holdings” of the Supreme Court, not its “unwritten assumptions.” Fernandez v. Keisler, 502 F.3d 337, 343–44, n.2 (4th Cir. 2007). Accordingly, with Clapper’s tenets firmly in tow, we address the two grounds for Article III standing pressed by the Plaintiffs for their Privacy Act claims: (1) the increased risk of future identity theft, and (2) the costs of protecting against the same. Increased Risk of Future Identity Theft Our sister circuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft. The Sixth, Seventh, and Ninth Circuits have all recognized, at the pleading stage, that plaintiffs can establish an injury-in-fact based on this threatened injury. See Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016) (plaintiff-customers’ increased risk of future identity theft theory established injury-in-fact after hackers breached Nationwide Mutual Insurance Company’s computer network and stole their sensitive personal information, because “[t]here is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of illintentioned criminals”); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694– 95 (7th Cir. 2015) (plaintiff-customers’ increased risk of future fraudulent charges and identity theft theory established “certainly impending” injury-in-fact and “substantial risk of harm” after hackers attacked Neiman Marcus with malware to steal credit card 16 numbers, because “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010) (plaintiff-employees’ increased risk of future identity theft theory a “credible threat of harm” for Article III purposes after theft of a laptop containing the unencrypted names, addresses, and social security numbers of 97,000 Starbucks employees); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632–34 (7th Cir. 2007) (banking services applicants’ increased risk of harm theory satisfied Article III injury-in-fact requirement after “sophisticated, intentional and malicious” security breach of bank website compromised their information). By contrast, the First and Third Circuits have rejected such allegations. See Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (brokerage account-holder’s increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or impending injury” after defendant failed to properly maintain an electronic platform containing her account information, because plaintiff failed to “identify any incident in which her data has ever been accessed by an unauthorized person”); Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011) (plaintiff-employees’ increased risk of identity theft theory too hypothetical and speculative to establish “certainly impending” injury-infact after unknown hacker penetrated payroll system firewall, because it was “not known whether the hacker read, copied, or understood” the system’s information and no evidence suggested past or future misuse of employee data or that the “intrusion was intentional or malicious”). 17 The Plaintiffs say that our sister circuits’ decisions in Krottner, Pisciotta, and Remijas support their allegations of standing based on threatened injury of future identity theft. 5 To the contrary, these cases demonstrate why the Plaintiffs’ theory is too speculative to constitute an injury-in-fact. Underlying the cases are common allegations that sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent. In Galaria, Remijas, and Pisciotta, for example, the data thief intentionally targeted the personal information compromised in the data breaches. Galaria, 2016 WL 4728027, at *1 (“[H]ackers broke into Nationwide's computer network and stole the personal information of Plaintiffs and 1.1 million others.”); Remijas, 794 F.3d at 694 (“Why else would hackers break into a store's database and steal consumers’ private information?”); Pisciotta, 499 F.3d at 632 (“scope and manner” of intrusion into banking website’s hosting facility was “sophisticated, intentional and malicious”). And, in Remijas and Krottner, at least one named plaintiff alleged misuse or access of that personal information by the thief. Remijas, 794 F.3d at 690 (9,200 of the 350,000 credit cards 5 The Plaintiffs also rely on the environmental law cases of Friends of the Earth, Inc. v Laidlaw Environmental Services, 528 U.S. 167 (2000) and Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 629 F.3d 387, 394 (4th Cir. 2011) (en banc) to support their view that a “reasonable concern” of harm is sufficient to confer Article III standing. Appellants’ Br. at 23. “In the environmental litigation context, [however], the standing requirements are not onerous.” Am. Canoe Ass'n v. Murphy Farms, Inc., 326 F.3d 505, 517 (4th Cir. 2003). This is so because “[t]he extinction of a species, the destruction of a wilderness habitat, or the fouling of air and water are harms that are frequently difficult or impossible to remedy” by monetary compensation. Cent. Delta Water Agency v. United States, 306 F.3d 938, 950 (9th Cir. 2002). By contrast, in databreach cases, “there is no reason to believe that monetary compensation will not return plaintiffs to their original position completely.” Reilly, 664 F.3d at 45. 18 potentially exposed to malware “were known to have been used fraudulently”); Krottner, 628 F.3d at 1141 (named plaintiff alleged that, two months after theft of laptop containing his social security number, someone attempted to open a new account using his social security number). Here, the Plaintiffs make no such claims. This in turn renders their contention of an enhanced risk of future identity theft too speculative. On this point, the data breaches in Beck and Watson occurred in February 2013 and July 2014, respectively. Yet, even after extensive discovery, the Beck plaintiffs have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information. 6 Watson’s complaint suffers from the same deficiency with regard to the four missing boxes of pathology reports. Moreover, “as the breaches fade further into the past,” the Plaintiffs’ threatened injuries become more and more speculative. See Chambliss v. Carefirst, Inc., No. 15-2288, 2016 WL 3055299, at *4 (D. Md. May 27, 2016); In re Zappos.com, 108 F. Supp. 3d 949, 958 (D. Nev. 2015) (“[T]he passage of time without a single report from Plaintiffs that they in fact suffered the harm they fear must mean something.”). The Plaintiffs counter that there is “no need to speculate” here because they have alleged-and in the Beck case the VA’s investigation concluded—that the laptop and 6 Ms. Gajadhar, a named Beck plaintiff, testified to three unauthorized credit card charges, later reimbursed by her bank. However, she failed to attribute those charges to the 2013 laptop theft. Nor could she, given that the data on the stolen laptop did not contain any credit card or bank account information. 19 pathology reports had been stolen. See J.A. 824. We of course accept this allegation as true. But the mere theft of these items, without more, cannot confer Article III standing. See Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 7–8 (D.D.C. 2007) (deeming as speculative plaintiffs’ allegations “that at some unspecified point in the indefinite future they will be the victims of identity theft” where, although plaintiffs clearly alleged their information was stolen by a burglar, they did “not allege that the burglar who stole the laptop did so in order to access their [i]nformation, or that their [i]nformation ha[d] actually been accessed since the laptop was stolen”). Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same “attenuated chain of possibilities” rejected by the Court in Clapper. 133 S. Ct. at 1147–48. In both cases, we must assume that the thief targeted the stolen items for the personal information they contained. And in both cases, the thieves must then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities. This “attenuated chain” cannot confer standing. The Plaintiffs insist that the district court required them to show “concrete evidence that [their] personal information had already been misused,” thus forcing someone in their position “‘to wait for the threatened harm to materialize in order to sue.’” Appellants’ Br. at 28 (quoting Remijas, 794 F.3d at 694). We disagree. The district court sought only to hold the Plaintiffs to their respective burdens to either “plausibly plead” factual allegations or “set forth particular evidence” sufficient to show 20 that the threatened harm of future identity theft was “certainly impending.” This they failed to do. Nonetheless, our inquiry on standing is not at an end, for we may also find standing based on a “substantial risk” that the harm will occur, which in turn may prompt a party to reasonably incur costs to mitigate or avoid that harm. Clapper, 133 S. Ct. at 1150 n.5. But here too the Plaintiffs fall short of their burden. The Plaintiffs allege that: (1) 33% of health-related data breaches result in identity theft; (2) the Defendants expend millions of dollars trying to avoid and mitigate those risks; and (3) by offering the Plaintiffs free credit monitoring, the VA effectively conceded that the theft of the laptop and pathology reports constituted a “reasonable risk of harm to those victimized” by the data breaches. Appellants’ Br. at 31 (citing 38 C.F.R. § 75.116 (authorizing Secretary of Veterans Affairs to offer credit protection services for mitigative purposes upon finding that “reasonable risk exists” for “potential misuse of sensitive personal information” compromised in a data breach)). These allegations are insufficient to establish a “substantial risk” of harm. 7 Even if we credit the Plaintiffs’ allegation that 33% of those affected by Dorn VAMC data breaches will become victims of identity theft, it follows that over 66% of veterans affected will suffer no harm. This statistic falls far short of establishing a “substantial 7 The Plaintiffs’ claim that data-breach victims are 9.5 times more likely than the average person to suffer identity theft does not alter our conclusion. As the Defendants point out, this general statistic says nothing about the risk arising out of any particular incident, nor does it address the particular facts of this case. 21 risk” of harm. E.g., Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 533 (D. Md. 2016) (“general allegations . . . that data breach victims are 9.5 times more likely to suffer identity theft and that 19 percent of data breach victims become victims of identity theft” insufficient to establish “substantial risk” of harm); In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26 (D.D.C. 2014) (no “substantial risk” of harm where “[b]y Plaintiff's own calculations, then, injury is likely not impending for over 80% of victims”). The Plaintiffs’ other allegations fare no better. Contrary to some of our sister circuits, we decline to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals. 8 To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit. Further, we read Clapper’s rejection of the Second Circuit’s attempt to import an “objectively reasonable likelihood” standard into Article III standing to express the common-sense notion that a threatened event can be “reasonabl[y] likel[y]” to occur but still be insufficiently “imminent” to constitute an injury-in-fact. See 133 S. Ct. at 1147– 48. Accordingly, neither the VA’s finding that a “reasonable risk exists” for the 8 See, e.g., Galaria, 2016 WL 4728027, at *3 (“Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”); Remijas, 794 F.3d at 694 (“It is telling . . . that Neiman Marcus offered one year of credit monitoring and identity-theft protection to all [potentially affected] customers. It is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”). 22 “potential misuse of sensitive personal information” following the data breaches, nor its decision to pay for credit monitoring to guard against it is enough to show that the Defendants subjected the Plaintiffs to a “substantial risk” of harm. Cost of Mitigative Measures Next, we turn to the Plaintiffs’ allegation that they have suffered an injury-in-fact because they have incurred or will in the future incur the cost of measures to guard against identity theft, including the costs of credit monitoring services. All Plaintiffs allege that they wish to enroll in, are enrolled in, or have purchased credit monitoring services. They also say that, as a consequence of the breaches, they have incurred the burden of monitoring their financial and credit information. Even accepting these allegations as true, they do not constitute an injury-in-fact. As was the case in Clapper, the Plaintiffs here seek “to bring this action based on costs they incurred in response to a speculative threat,” i.e. their fear of future identity theft based on the breaches at Dorn VAMC. Id. at 1151. But this allegation is merely “a repackaged version of [Plaintiffs’] first failed theory of standing.” Id. Simply put, these self-imposed harms cannot confer standing. See, e.g., Remijas, 794 F.3d at 694 (“Mitigation expenses do not qualify as actual injuries where the harm is not imminent.”); Reilly, 664 F.3d at 46 (“[P]rophylactically spen[ding] money to ease fears of [speculative] future third-party criminality . . . is not sufficient to confer standing.”). 23 B. Finally, we address the Plaintiffs’ request for broad injunctive relief under the APA. 9 To establish their standing to seek such relief, the Plaintiffs borrow from the statutory language of the Privacy Act, contending that the “substantial harm,” “embarrassment,” “inconvenience,” and “unfairness” caused them by the Defendants satisfies their Article III burden because they have been “adversely affected” within the meaning of the APA. See 5 U.S.C. §§ 552a(e)(10), 702. These citations to the Privacy Act’s language are inapposite: The APA’s “adversely affected” language does not relieve the Plaintiffs of their burden to prove Article III standing. See Match-E-Be-Nash-She-Wish Band of Pottawatomi Indians v. Patchak, 132 S. Ct. 2199, 2210 (“[A] person suing under the APA must satisfy not only Article III's standing requirements,” but also the prudential “zone of interests” test) (internal quotations omitted). Rather, we agree with the district court that the Plaintiffs do not have standing to seek injunctive relief under the APA because allegations of Dorn VAMC’s past Privacy Act violations are insufficient to establish an ongoing case or controversy. See City of Los Angeles v. Lyons, 461 U.S. 95, 101–02 (1974) (“[P]ast exposure to illegal conduct does not in itself show a present case or controversy regarding injunctive relief.”) (internal quotations omitted). A plaintiff who seeks . . . to enjoin a future action must demonstrate that he ‘is immediately in danger of sustaining some direct injury’ as the result of the challenged 9 We assume without deciding that injunctive relief is available in these circumstances. 24 official conduct.” Lebron v. Rumsfeld, 670 F.3d 540, 560 (4th Cir. 2012) (quoting Lyons, 461 U.S. at 102)). And this “threat of injury must be both ‘real and immediate,’ not ‘conjectural’ or ‘hypothetical.’” Id. The Plaintiffs say that Dorn VAMC’s “inadequate actions and inactions will repeatedly harm every veteran regardless of anything those individuals can do” where Dorn VAMC “has never been in compliance with the Privacy Act,” and where there is “no factual basis to believe VA will ever achieve compliance with safeguards requirements left to its own devices.” Appellants’ Br. at 38–39. We acknowledge that the named plaintiffs have been victimized by “at least two admitted VA data breaches,” and that Ms. Watson’s information was compromised in both the 2013 laptop theft and the 2014 pathology reports theft. Appellants’ Br. at 39. But “[a]bsent a sufficient likelihood that [Plaintiffs] will again be wronged in a similar way,” Lyons, 461 U.S. at 111, these past events, disconcerting as they may be, are not sufficient to confer standing to seek injunctive relief. See Lebron, 670 F.3d at 560–61 (affirming dismissal of former enemy combatant detainee’s request for injunction against future designation as an enemy combatant because the mere “possibility” of redesignation was insufficient to allege a “real” and “immediate” threat). The most that can be reasonably inferred from the Plaintiffs’ allegations regarding the likelihood of another data breach at Dorn VAMC is that the Plaintiffs could be victimized by a future data breach. That alone is not enough. 25 IV. For the reasons given, the judgments of the district court are AFFIRMED. 26